Wednesday, 16 October 2013

SIEM plus Correlation = Security?

Introduction
Whether you are working from a SANS 20 Security Best Practices approach, or working with an auditor for SOX compliance or QSA for PCI compliance, you will be implementing a logging solution.

Keeping an audit trail of key security events is the only way to understand what ‘regular’ operation looks like. Why is this important? Because it is only when you have this clear that you can begin to identify irregular and unusual activity which could be evidence of a security breach. Better still, once you have that picture of how things should be when everything is normal and secure, an intelligent log analysis system, aka SIM or SIEM, can automatically assess events, event volumes and patterns to intelligently judge on your behalf if there is potentially something fishy going on.

Security Threat or Potential Security Event? Only with Event Correlation!
The promise of SIEM systems is that once you have installed one of these systems, you can get on with your day job and if any security incident occurs, it will let you know about it and what you need to do in order to take care of it.

The latest ‘must have’ feature set is correlation, but this must be one of the most over used and abused technology term ever!

The concept is straightforward: isolated events which are potential security incidents (for example, ‘IPS Intrusion Detected event’) are notable but not as critical as seeing a sequence of events, all correlated by the same session, for example, an IPS Alert, followed by Failed Logon, followed by a Successful Admin Logon.

In reality, these advanced, true correlation rules are rarely that effective. Unless you are in a very active security bridge situation, with an enterprise comprising thousands of devices, standard single event/single alert operation should work well enough for you.

For example, in the scenario above, it should be the case that you DON’T have many intrusion alerts from your IPS (if you do, you really need to look at your firewalling and IPS defenses as they aren’t providing enough protection). Likewise if you are getting any failed logins from remote users to critical devices, you should put your time and effort into a better network design and firewall configuration instead of experimenting with ‘clever, clever’ correlation rules. It’s the KISS* principle applied to security event management.

As such, when you do get one of the critical alerts from the IPS, this should be enough to initiate an emergency investigation, rather than waiting until you see whether the intruder is successful at brute forcing a logon to one of your hosts (by which time it is too late to head off any way!)

Correlation rules perfected – but the system has already been hacked…
In fact, consider this last point further, as it is where security best practices deviate sharply from the SIEM Product Managers pitch. Everyone knows that prevention is better than cure, so why is there so much hype surrounding the need for correlated SIEM events? Surely the focus should be on protecting our Information Assets rather than implementing an expensive and complicated appliance which may or may not sound an alarm when systems are under attack?

Security Best Practices will tell you that you must implement – thoroughly – the basics. The easiest and most available security best practice is to harden systems, then operate a robust change management process.
By eliminating known vulnerabilities from your systems (primarily configuration-based vulnerabilities but, of course, software-related security weaknesses too via patching) you provide a fundamentally well-protected system. Layer up other defense measures too, such as anti-virus (flawed as a comprehensive defense system, but still useful against the mainstream malware threat), firewalling with IPS, and of course, all underpinned by real-time file integrity monitoring and logging, so that if any infiltration does occur, you will get to know about it immediately.

Conclusion
Contemporary SIEM solutions offer much promise as THE intelligent security defense system. However, experience and the evidence of ever-increasing numbers of successful security breaches tell us that there is never going to be a ‘silver bullet’ for defending our IT infrastructure. Tools and automation can help of course, but genuine security for systems only comes from operating security best practices with the necessary awareness and discipline to expect the unexpected.